Hi,
when examining the field "tcp.analysis.bytes_in_flight" in Wireshark Version
1.2.9 (SVN Rev 33171) it seems Wireshark doesn't always calculate the
correct value. As an example the following two consecutive frames:
Frame 91 (60 bytes on wire, 60 bytes captured) Ethernet II, Src:
NokiaInt_a5:60:b0 (00:a0:8e:a5:60:b0), Dst: Cisco_bd:9b:8a
(00:25:45:bd:9b:8a)
Internet Protocol, Src: 193.75.143.194 (193.75.143.194), Dst: 85.91.172.251
(85.91.172.251)
Transmission Control Protocol, Src Port: 22862 (22862), Dst Port: exapt-lmgr
(3759), Seq: 1, Ack: 18981, Len: 0
Source port: 22862 (22862)
Destination port: exapt-lmgr (3759)
[Stream index: 3]
Sequence number: 1 (relative sequence number)
Acknowledgement number: 18981 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
Window size: 64240
Checksum: 0x2ac9 [validation disabled]
Frame 92 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src:
Cisco_bd:9b:8a (00:25:45:bd:9b:8a), Dst: NokiaInt_a5:60:b0
(00:a0:8e:a5:60:b0)
Internet Protocol, Src: 85.91.172.251 (85.91.172.251), Dst: 193.75.143.194
(193.75.143.194)
Transmission Control Protocol, Src Port: exapt-lmgr (3759), Dst Port: 22862
(22862), Seq: 21901, Ack: 1, Len: 1460
Source port: exapt-lmgr (3759)
Destination port: 22862 (22862)
[Stream index: 3]
Sequence number: 21901 (relative sequence number)
[Next sequence number: 23361 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
Window size: 64240
Checksum: 0x2a1e [validation disabled]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 91]
[The RTT to ACK the segment was: 0.000121000 seconds]
[Number of bytes in flight: 7300] Data (1460 bytes)
To my knowledge the correct value for "Number of bytes in flight" should be
23361 - 18981 = 4380 in this case. That is "Next sequence number" from Frame
92 minus "Acknowledgement number" from frame 91.
Is this an known issue or I'm missing something?
Best Regards,
Stefaan
